[SERVER-11572] Mongo shell should not require a password for SSPI on a domain joined computer when authenticating via the command line Created: 05/Nov/13  Updated: 11/Jul/16  Resolved: 23/Jan/14

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.5.3
Fix Version/s: 2.5.5

Type: Bug Priority: Minor - P4
Reporter: Craig Wilson Assignee: Eric Milkie
Resolution: Done Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Windows Mongo Shell


Issue Links:
Depends
Related
related to TOOLS-163 Mongo tools should not require a pass... Closed
Operating System: Windows
Participants:

 Description   

On a windows computer joined to a domain, it should not be required to provide a password for SSPI when the logged in as the desired user.

On the test box, I can successfully authenticate when providing a password, but when the password is omitted, the following error is produced:

> mongo hostname -authenticationMechanism=GSSAPI -authenticationDatabase=$external -username user@DOMAIN.COM
MongoDB shell version: 2.5.4-pre-
connecting to: hostname/test
2013-11-05T14:14:26.053+0000 Error: 17 SASL(-1): generic failure: SSPI: InitializeSecurityContext: The logon attempt failed at src/mongo/shell/db.js:1199
exception: login failed



 Comments   
Comment by Githook User [ 23/Jan/14 ]

Author:

{u'username': u'milkie', u'name': u'Eric Milkie', u'email': u'milkie@10gen.com'}

Message: SERVER-11572 permit no-password auth for Windows Kerberos mongo shell from command line
Branch: master
https://github.com/mongodb/mongo/commit/6f7364be380fd69a9725339123e5476518ddbaee

Comment by Craig Wilson [ 05/Nov/13 ]

The server has no error. Other than a connection being opened and then forcibly closed by the client, it doesn't appear that the client ever attempts to authenticate to the server.

Comment by Eric Milkie [ 05/Nov/13 ]

What's the server log error when auth fails in this way?

Comment by Craig Wilson [ 05/Nov/13 ]

Also true with regards to the tools, mongodump, mongorestore, etc...

Comment by Eric Milkie [ 05/Nov/13 ]

Very interesting. Thanks for updating the description. Hopefully it won't be too hard to fix.

Comment by Craig Wilson [ 05/Nov/13 ]

I have confirmed this works correctly with the shell helper. However, it does not work via the command line as you correctly surmised.

Comment by Eric Milkie [ 05/Nov/13 ]

This ought to work already.
How did you start the shell?
What messages appear in the server log?

My first guess is that you are attempting to authenticate automatically via command line arguments rather than using the auth() shell helper directly. I had success using the shell helper but I never tried using the command line arguments to authenticate, so the problem might lie there.

Generated at Thu Feb 08 03:26:10 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.